Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

BlackNurse Low-Volume DoS Attack Targets Firewalls

Researchers say BlackNurse attacks are low bandwidth (18Mbps) and can still knock offline many of today’s firewalls.

A type of denial of service attack relevant in the 1990s has resurfaced with surprising potency against modern-day firewalls. Dubbed a BlackNurse attack, the technique leverages a low-volume Internet Control Message Protocol (ICMP) -based attack on vulnerable firewalls made by Cisco, Palo Alto, SonicWall and others, according to researchers.

TDC Security Operations Center, a security firm that published a technical report (PDF) on BlackNurse this week, said the attack is more traditionally called a “ping flood attack.” In this type of assault, traffic volume doesn’t matter as much as the type of packets sent, researchers said.

According to TDC, BlackNurse is based on ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) requests. These are packet replies typically returned to ping sources indicating the destination port is “unreachable,” according to researchers.

In a description of BlackNurse, an attacker causes a Denial of Service (DoS) state by overloading the firewall’s host CPU. “When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet,” according to TDC.

“Firewall logging during the attack can increase the impact from the attack, which means that the firewall gets even more exhausted,” TDC wrote.

BlackNurse attacks are similar to, but not to be confused with, related ICMP Type 8 Code 0 attacks, also called a ping flood attack, according to TDC. “ICMP based attacks in general are a well-known attack type used by some DDoS attackers,” TDC wrote. Researchers explain:

“The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.”

Noteworthy, BlackNurse DoS attack volume intensity hovers between a paltry 15 to 18 Mbps (or 40 to 50K packets per second), according to researchers. That’s in stark contrast to the 1 Tbps DDoS attack recorded against DNS provider Dyn last month.

The low volume DDoS attack is effective because the goal is not to flood the firewall with useless traffic, but rather to drive high CPU loads. To that end many firewall vendors protect against ICMP-based attacks. But blocking all ICMP types and codes isn’t an option, for fear that something will likely to break down, TDC said.

As for vulnerable firewalls, TDC singles out some Cisco ASA firewalls. According to a SANS Internet Storm Center report on BlackNurse, Cisco firewalls that are newer, larger and are multi-core appear to be fine. However, SonicWall and some Palo Alto firewalls appear to be vulnerable, according to Johannes Ullrich, dean of research at SANS Technology Institute and author of the SANS ISC post.

Cisco, SonicWall and Palo Alto were contacted for this report, but did not reply.

Testing for BlackNurse, suggests TDC, includes allowing ICMP on the WAN side of a firewall and conducting tests with the tool Hping3, a free packet generator and analyzer for the TCP/IP protocol. Detection includes adopting SNORT IDS/IPS rules to spot the attack, according TDC which outlines its own rules. Mitigation includes creating a “list of trusted sources for which ICMP is allowed and could be configured” and “disabling ICMP Type 3 Code 3 on the WAN interface,” TDC said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.